CVE-2017-7658
Summary
| CVE | CVE-2017-7658 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2018-06-26 17:29:00 UTC |
|---|
| Updated | 2023-11-07 02:50:00 UTC |
|---|
| Description | In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Pony Mail! |
MLIST |
lists.apache.org |
|
| Jetty Multiple Flaws Let Remote Users Conduct HTTP Request Smuggling and Session Hijacking Attacks and Determine the Installation Path - SecurityTracker |
SECTRACK |
www.securitytracker.com |
Third Party Advisory, VDB Entry |
| Document Display | HPE Support Center |
CONFIRM |
support.hpe.com |
Third Party Advisory |
| Pony Mail! |
|
lists.apache.org |
|
| Pony Mail! |
MLIST |
lists.apache.org |
Mailing List, Third Party Advisory |
| Pony Mail! |
|
lists.apache.org |
|
| Pony Mail! |
MLIST |
lists.apache.org |
Mailing List, Third Party Advisory |
| Pony Mail! |
MLIST |
lists.apache.org |
|
| Oracle Critical Patch Update Advisory - October 2020 |
MISC |
www.oracle.com |
Third Party Advisory |
| Oracle Critical Patch Update Advisory - July 2021 |
N/A |
www.oracle.com |
|
| Pony Mail! |
|
lists.apache.org |
|
| Pony Mail! |
MLIST |
lists.apache.org |
Mailing List, Third Party Advisory |
| Pony Mail! |
|
lists.apache.org |
|
| Oracle Critical Patch Update - January 2019 |
CONFIRM |
www.oracle.com |
Patch, Third Party Advisory |
| Pony Mail! |
|
lists.apache.org |
|
| 535669 – (CVE-2017-7658) Jetty: CVE Request: Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace |
CONFIRM |
bugs.eclipse.org |
Third Party Advisory |
| Pony Mail! |
MLIST |
lists.apache.org |
Mailing List, Third Party Advisory |
| Pony Mail! |
|
lists.apache.org |
|
| Pony Mail! |
MLIST |
lists.apache.org |
Mailing List, Third Party Advisory |
| Pony Mail! |
|
lists.apache.org |
|
| September 2018 Eclipse Jetty Vulnerabilities in NetApp Products | NetApp Product Security |
CONFIRM |
security.netapp.com |
Third Party Advisory |
| Oracle Critical Patch Update - October 2019 |
MISC |
www.oracle.com |
Patch, Third Party Advisory |
| Debian -- Security Information -- DSA-4278-1 jetty9 |
DEBIAN |
www.debian.org |
Third Party Advisory |
| Oracle Retail Xstore Payment Multiple Remote Security Vulnerabilities |
BID |
www.securityfocus.com |
Third Party Advisory, VDB Entry |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 20288 Oracle Database 19c Critical OJVM Patch Update - October 2020
- 20297 Oracle Database 18c Critical OJVM Patch Update - October 2020
- 20313 Oracle Database 12.2.0.1 Critical OJVM Patch Update - October 2020
- 376527 F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Eclipse Jetty Vulnerabilities (K10002140)
- 981994 Java (maven) Security Update for org.eclipse.jetty:jetty-server (GHSA-6x9x-8qw9-9pp6)
